Account Takeover , Cybercrime , Fraud Management & Cybercrime

Bank Account Credentials Sell for an Average of $71, Report Finds Ishita Chigilli Palli (Ishita_CP) • July 10, 2020    

Banking and financial credentials are the most common listings on darknet sites (Source: Digital Shadows)

Five billion unique user credentials are circulating on darknet forums, with cybercriminals offering to sell access to bank accounts as well as domain administrator access to corporate networks, according to the Photon Research Team at security firm Digital Shadows.

See Also: A Guide to Digital Identity Verification: The Technology & Trends

Researchers found that more than 15 billion user credentials are in circulation, of which 5 billion username and password combinations don’t have repeated credential pairs and have been advertised on underground forums only once, according to the report released this week.

“More often than not, credentials that are exposed are reposts or amalgamations of previously exposed credentials,” says Kacey Clark, a threat researcher at Digital Shadows. “Security teams that monitor for these types of issues, therefore, may well have already remediated the risk. Unique credentials, however, represent a higher risk and so are likely of greater concern for security teams.”

There’s been a 300% increase in the number of stolen credentials circulating on these underground forums since 2018. After an 18-month research effort, the researchers estimate that the credentials stem from nearly 100,000 data breaches that have taken place over the last two years, according to Digital Shadows (see: Stolen Zoom Credentials: Hackers Sell Cheap Access).

“I’m not overly surprised by the numbers,” Troy Hunt, creator of the HaveIBeenPwned breach notification service, tells Information Security Media Group. “Anecdotally, I’ve noticed a lot more credential stuffing lists in circulation recently, and just like the [COVID-19] pandemic itself, they seem to be replicating at a fierce rate.”

High-End Accounts

Cybercriminals employ a variety of techniques to carry out account takeovers. Some criminals buy credentials on darknet marketplaces, where a single account costs on average $15.43. But the more sought-after banking credentials sell for an average of $71, according to the report.

The price for access to a single bank account can exceed $500 depending on factors such as the amount of money in the account, the availability to access personally identifiable information and the account’s age, the report notes.

The advertisements for access to these types of high-end accounts comprised 25% of all advertisements on underground sites analyzed by Digital Shadows.

In addition, the researchers found that credentials for domain administrator access to corporations and government agencies, where there is potential for a complete network compromise, can be sold for as high as $140,000 if a bidding war takes place. But the average selling price is about $3,100, according to the report.

To give a potential buyer of admin credentials additional information to help make a sale, some underground forums include details such as the number of devices running on the network, how many employees work at the company and any intellectual property or sensitive documents on the system, the report states.

“Cybercriminals target the obvious goldmines of financial or internal company accounts, but they also see value in things like streaming or anti-virus accounts,” Clark tells ISMG.

For example, video game account credentials sell for as little as $2, the report notes.

Many individuals use the same credentials across multiple platforms, researchers at Digital Shadows note. This leaves users vulnerable to account takeovers by hackers implementing brute-force attacks. And the tools for such attacks can be purchased on the darknet for an average price of $4, according to the report.

Harvesting Credentials

Apart from buying credentials directly on the darknet, cybercriminals also use brute-force cracking tools and account checkers to steal information, according to the report. “Based on their descriptions, these tools can ‘crack’ accounts associated with banking, video games, e-commerce services, social media, streaming, VPN accounts and proxy services,” the report notes.

Many hackers also harvest banking credentials using Trojans, keyloggers and man-in-the-middle browser attacks, which enable them to steal the data directly from victims’ online banking portals, according to the report.

Once a hacker obtains a list of credentials, they can then buy or rent tools for credential-stuffing attacks – automated login attempts using a combination of usernames and plaintext passwords, the report notes.

The Digital Shadows researchers also note that some sites rent out identity credentials for a limited amount of time for less than $10. These sites offer not just access to compromised accounts, but also browser data, such as IP addresses, time zones and cookies, which make it easier to avoid detection, according to the report.

Cybercriminals also sometimes share credentials for free on forums to help build a sense of community, Clark says. “After someone posts a hashed data set, other forum users work on dehashing it and then post the plaintext passwords as a database.”

Managing Editor Scott Ferguson contributed to this report.

Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Malwarebytes: New Research Discloses Data Exfiltration Capability Doug Olenick (DougOlenick) • July 10, 2020    

Additional research by Malwarebytes has found the EvilQuest Mac malware is not purely ransomware but primarily an info stealer that has been renamed ThiefQuest. (Photo: Getty Images)

The Mac malware originally labeled as “EvilQuest,” which researchers initially identified as a poorly designed ransomware variant, apparently is primarily an information stealer with ransomware-like elements designed to confuse security tools, according to the security firm Malwarebytes.

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

During the initial investigation into the malware, now renamed “ThiefQuest,” researchers missed a small piece of code written in Python that can exfiltrate data from an infected system, says Thomas Reed, director of Mac and mobile at Malwarebytes (see: Ransomware Targets Mac Users).

The Python script was uncovered after Malwarebytes researchers noticed the malware making hundreds of connections to a command-and-control server and removing data that apparently had nothing to do with typical ransomware activity.

Even though ThiefQuest’s main task may not be encrypting a victim’s data, SentinelOne has released a free decryptor on Github to help any potential victims who had data encrypted by attackers.

“SentinelLabs research suggests that EvilQuest is not related to public key encryption and in fact often uses a table normally associated with block cipher RC2. Knowing this, the SentinelLabs team was able to break the EvilQuest encryption routine, unlocking files and disrupting the attack chain,” the company said in a statement.

Malwarebytes has not yet determined how many victims have been hit with ThiefQuest, Reed says.

ThiefQuest’s Activity

A closer examination of ThiefQuest reveals how the information stealer works, Malwarebytes says.

“This script scans through all the files in the /Users/ folder – the folder that contains all user data for all users on the computer – for any files having certain extensions, such as .pdf, .doc, .jpg, etc. Some extensions in particular indicate points of interest for the malware, such as .pem, used for encryption keys, and .wallet, used for cryptocurrency wallets,” Reed notes in an updated report published Tuesday.

The stolen files, which include cryptocurrency wallets and various types of keys, are collected and then uploaded to the command-and-control server through an unencrypted HTTP, according to the report.

The fact that ThiefQuest has a data exfiltration feature is not proof it is a combination ransomware/info stealer like Maze, which is used to exfiltrate data and then extort ransoms for withholding release, Reed says (see: Ransomware + Exfiltration + Leaks = Data Breach ).

“We’re not sure at this point. That’s entirely possible, but some of the information being targeted suggests the malware is interested in things like cryptocurrency wallets (direct access to funds) and a variety of keys that could be used to gain access to systems (ssh keys, for example),” he says. “Although that doesn’t rule out the possibility of extortion, it doesn’t really point the finger in that direction either.”

As noted in the original Malwarebytes report, distribution of this malware was handled through fake installers, such as for Little Snitch – a host-based application firewall for Apple macOS.

Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Fraudsters Using Fake Account Alerts to Steal Microsoft Credentials Prajeet Nair (@prajeetspeaks) • July 10, 2020    

Spoofed Zoom alert that’s part on an ongoing phishing campaign (Source: Abnormal Security)

A recently uncovered phishing campaign is using spoofed Zoom account alerts to steal Microsoft Office 365 credentials, according to a report from security firm Abnormal Security.

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

Using fake Zoom alerts to help disguise phishing emails comes at a time when use of the cloud-based video conferencing platform is skyrocketing due to work-from-home arrangements. A report following Zoom’s settlement with the New York state attorney general’s office over privacy and data security complaints showed that Zoom was supporting approximately 300 million meeting participants each day on its platform at the end of April, compared to about 10 million daily meeting participants in January (see: Zoom’s New York Settlement Spells Out Security Moves).

The Abnormal Security report notes that this large-scale reliance on Zoom for corporate communications is driving fraudsters and cybercriminals to use the company’s images and logos in phishing emails to give them a look of legitimacy and urgency.

“Zoom as a communications method is essential in a world under the shadow of the COVID-19 pandemic,” the researchers note in the report. “Thus, the user may rush to correct their account, click on the malicious link, and inadvertently enter credentials on this bad website.”

The researchers note that these Zoom-themed phishing emails have appeared in approximately 50,000 inboxes since the campaign started earlier this year.

Spoofed Notifications

Researchers found that fraudsters are sending victims phishing emails mimicking an automated notification from Zoom that spoofs the official Zoom corporate email address. These messages claim that the recipient will not be able to use the video conferencing platform until they click a link embedded in the email to reactivate their account, according to the report.

If the victim clicks on the malicious link embedded in the email, the user is taken to what appeared to be an Office 365 login page but was actually a malicious domain controlled by the fraudsters. The fake login page prompts the targeted victim to input their Office 365 username and password to reset their account, but the credentials are instead harvested by the fraudsters.

“Though the email impersonates the Zoom brand, the attacker is targeting the recipient’s Microsoft credentials, which can be used to access a larger trove of sensitive information,” the report notes.

Go Phish

Other phishing campaigns have also taken advantage of the new reliance on collaboration and video conferencing software to create realistic-looking messages that target at-home workers.

In April, researchers found fraudsters using spoofed messages and images from Zoom and Cisco WebEx as lures in phishing campaigns that were designed to steal credentials or distribute malware (see: Cybercriminals Using Zoom, WebEx as Phishing Lures: Report).

Credentials for Office 365 and other Microsoft products are a frequent target of these attacks. This week, a federal court granted Microsoft an injunction to seize several malicious domains that spoofed the company’s products and services as part of numerous phishing attempts (see: Microsoft Seizes Domains Used for COVID-19 Phishing Scam).

As cyberthreats facing healthcare organizations soar, medical device maker Becton, Dickinson and Co. has ramped up its process for coordinated disclosure of vulnerabilities to help identify, assess and communicate issues to regulators and industry stakeholders, says Dana-Megan Rossi, the manufacturer’s director of information security threat and vulnerability management.

“We work hand-in-hand with security researchers and really welcome them to be part of our process – they help to make our products better,” Rossi says in an interview with Information Security Media Group.

“They help us to find things, because technology is going to age. Eventually everything is going to come to the surface where you’re going to either need to remediate or mitigate a potential vulnerability.”

Assessing Problems

BD encourages independent researchers to reach out to the manufacturer about the discovery of vulnerabilities, she notes. The company’s product security incident response team, research and development team and product quality team work closely with any researchers filing a report, she notes.

Potential security vulnerabilities are carefully assessed, she adds. “Regardless of whether or not there’s any type of patient safety issue, we’re always going to disclose and communicate within 30 days.”

BD also works with the Department of Homeland Security, the Food and Drug Administration and the Health Information Sharing and Analysis Center “to make sure we can put together a responsible disclosure that lets our customers know ‘here’s what we found, here’s what you need to know about it, and here are steps to either remediate it … or to mitigate it’.”

In this interview (see audio link below photo), Rossi also discusses:

• Security challenges involving legacy devices;
• The impact of COVID-19 on the cybersecurity threat landscape;
• The state of medical device cybersecurity and areas of progress.

Rossi, an attorney, leads global information security threat and vulnerability management at BD. Her work focuses on strategic and tactical security operations and initiatives, collaborations and global programs to enhance security. She also serves as the healthcare and public health sector chief for the FBI’s InfraGard for the National Capital Region and is a member of the Cyber Health Working Group.

Cybercrime , Fraud Management & Cybercrime , Information Sharing

As Governments Underinvest in Law Enforcement, Private Firms Fill Intelligence Gap Mathew J. Schwartz (euroinfosec) • July 10, 2020    

U.S. prosecutors this week revealed a newly unsealed 2018 indictment against the alleged hacker “Fxmsp” after his identity was revealed in a cybersecurity firm’s report. That sequence of events has highlighted the importance of information sharing as well as law enforcement’s reliance on private cybersecurity researchers. And it raised questions about the line between serving the public good and a private firm’s bottom line (see: Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand).

See Also: Maintain a Clear Bill of (Third-Party Risk) Health

On Tuesday, a federal judge approved a U.S. attorney’s request to unseal an indictment and arrest warrant against Kazakhstan national Andrey Turchin, 37, who’s been charged with five felony counts of computer fraud and abuse, wire fraud and access device fraud. The request was made after Turchin was named as being Fxmsp in a report published last month by Group-IB (see: Studying an ‘Invisible God’ Hacker: Could You Stop ‘Fxmsp’?).

“Research by private companies is becoming not only a tool to tackle those behind cyberattacks, but also a key marketing tool in many companies’ arsenals.” 

But prosecutors said another reason for the court documents to be unsealed is that they believe that Turchin already knew of the U.S. charges against him, including allegations that his Fxmsp operation hacked into at least 300 organizations globally, including 34 in the U.S. The Justice Department didn’t immediately respond to a request for comment about how Turchin might have known of the charges against him.

On June 23, cybersecurity firm Group-IB, which is based in Moscow but opened a global headquarters last year in Singapore, desecribed Fxmsp’s operations in a lengthy report designed to help organizations protect themselves against copycat attackers.

Geographical distribution of Fxmsp’s known victims. Note: Map doesn’t include five international firms, or eight firms for which Fxmsp listed no location. (Source: Group-IB)

Prosecutors, in their court filing, notably steer clear of denigrating the work of any cybersecurity researchers.

“Given the group’s prolific nature, sophistication, and notable victims, ‘Fxmsp’ and his accomplices, commonly referred to collectively as the ‘Fxmsp’ group, have been a subject of interest of cybersecurity researchers,” prosecutors told the court in their motion to unseal the records, which references the Group-IB report. “In addition to tracking ‘Fxmsp’s’ evolution and his group’s exploits and list of victims, this report publicly identified ‘Fxmsp’ as Andrey Turchin, of Kazakhstan, and provided a detailed explanation of the researchers’ attribution determination.”

Naming Suspected Criminals

Should Group-IB have published its detailed analysis of the hacker’s identity? To be clear, there are no rules against doing so, although attribution can be tricky.

“For security researchers, it’s a real conundrum about whether they name people because they, of course, don’t know what law enforcement operations are going on,” says cybersecurity expert Alan Woodward, a computer science professor at the University of Surrey in England. “It’s also a bit dangerous to name people anyway because, as we know, attribution is difficult.”

Group-IB tells me that one month before publishing the report, it provided it to two international law enforcement organizations to make sure that there weren’t any active investigations that they might be inadvertently impeding, and it wasn’t told to hold fire.

Information Sharing

The two law enforcement organizations, while not specified to me, were likely Interpol and Europol, both of which have FBI liaisons. Of course, that doesn’t mean that the FBI wanted to reveal any information to Group-IB about in-progress operations.

“How do I put it? The information sharing even within the law enforcement community is not always everything it could be,” Woodward says.

“I mean when they get it right it’s quite spectacular,” he adds, referring in particular to last week’s crackdown on EncroChat, the encrypted cellular network to which police gained access. That operation, led by French and Dutch law enforcement agencies, with the assistance of Europol – the EU’s law enforcement intelligence agency – and the EU Agency for Criminal Justice Cooperation, known as Eurojust, resulted in 746 arrests in Britain alone, where 10,000 of EncroChat’s 60,000 customers were based (see: European Police Hack Encrypted Communication System).

Woodward says numerous big cybersecurity firms, including organizations such as Group-IB, have advisers that communicate with him and participate in working groups run by Interpol and Europol. “But whether Europol knew what was actually happening or not, who knows?” he says, referring to the Fxmsp case, which the U.S. Justice Department this week said remains ongoing and could result in the arrest of accomplices.

“Interpol and Europol are not always told what’s going on with national efforts; that’s where things might go slightly awry. And it shows really that perhaps more of the coordination role – the sorts of things that Interpol, Europol and Ameripol do, actually – it would be really good if there was a bit more of … sharing what operations were going on,” Woodward says. “But of course, the fear is, the more information you share … the more likely that it might leak out and the criminals get a head start and can get away.”

A competitor of Group-IB – U.S. threat-intelligence firm Intel417 – criticized Group-IB for publishing its report. Intel417, together with FireEye’s Mandiant, was among the security firms that shared intelligence with the FBI. Intel417 has accused Group-IB of releasing its report “for publicity and marketing under the guise of supporting the greater good.”

Commercial companies outing cybercriminals for publicity and marketing under the guise of supporting the greater good and without proper coordination and deconfliction with LE is rarely constructive and often harms law enforcement efforts [02/05]

— Intel 471 (@Intel471Inc) July 8, 2020

Research Versus Marketing

Where is the line between research and marketing?

For starters, it’s important to note that cybersecurity research has been a force for good. In an interview at Black Hat Europe in London in December 2019, Jake Williams, who heads cybersecurity consultancy Rendition Infosec and previously served as a network exploitation operator with the U.S. Department of Defense, told me that the move in recent years by private cybersecurity firms to publicly document how advanced attackers were hacking into organizations’ networks was a watershed. Threat intelligence firms releasing in-depth research into how alleged Russian hackers hit the U.S. Democratic National Committee and how alleged Chinese hackers hit the Office for Personnel Management has been instrumental in helping cybersecurity professionals learn how to better defend their organizations. Organizations can build on each other’s research as well as collaborate (see: Cybersecurity Defenders: Channel Your Adversary’s Mindset).

But when weighing how research might also serve a cybersecurity firm’s marketing needs, the picture is complicated by years of underinvestment in law enforcement, says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting and serves as a cybersecurity adviser to Europol.

“In the past, many governments viewed cybercrime as an IT problem,” says Brian Honan, CEO and principal consultant at BH Consulting.

“What we are experiencing today is the result of successive governments in many countries not investing or resourcing law enforcement agencies to tackle the growing threat of cybercrime,” Honan tells me.

“In the past, many governments viewed cybercrime as an IT problem rather than a societal one, and therefore it was something better left to the IT industry to address. As a result, many cybersecurity companies have more staff – and can pay those staff better than if they joined law enforcement – and more resources to investigate cybercrime than many police forces do,” Honan says.

Hence, many law enforcement agencies rely heavily on private cybersecurity firms to help them build cases. “However, it is now getting to the stage where research by private companies is becoming not only a tool to tackle those behind cyberattacks, but also a key marketing tool in many companies’ arsenals,” he says. “This can lead to the race for private companies to get their research published for marketing gain, and is something that could potentially undermine or conflict with law enforcement investigations.”

But he adds: “Governments are now taking the threat from cybercriminals more seriously and rightly recognize it to be a societal and economic threat rather than an IT problem.” So they’ve been putting in place better information sharing arrangements. “We need to continue to build on these public/private cooperation models, to lobby governments to properly fund and support law enforcement cybercrime agencies, and to push for better international legal frameworks to support the fight against cybercrime.”

Fxmsp Case

In the case of Group-IB’s report, no one is questioning its technical bona fides. Per the U.S. indictment, the firm named an individual that the the FBI also thinks is Fxmsp.

“Our research was primarily focused on examining the threat actors’ activities and TPPs [techniques, tactics and procedures] with the aim to provide businesses with comprehensive recommendations on how to avoid attacks similar to those conducted by Fxmsp,” Group-IB CTO Dmitry Volkov tells me.

In addition, the report was published more than a year after Fxmsp appeared to have gone quiet in May 2019, when the group’s attempt to sell access to three anti-virus vendors’ networks and their source code was outed by New York-based threat intelligence firm Advanced Intelligence, in its own report. It appears to have driven Fxmsp off of the cybercrime forums it relied on to market its wares (see: Fxmsp Hackers Behind AV Source Code Heist: Still Operating?).

Add this geopolitical wrinkle: Kazakhstan has no extradition treaty with the U.S., which may explain why Turchin hasn’t yet appeared in an American courtroom 18 months after being indicted. Perhaps the FBI was hoping he’d vacation in a country that’s friendly with the U.S., so the bureau could nab him (see: Hackers’ Vacation Plans in Disarray After Prague Arrest).

What more might Group-IB have done? “In this case, they did ask [law enforcement] – not that they need permission – but as it turns out, the guy was already aware, and I don’t think it did any real harm or damage to the case,” Woodward says.

Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Malicious Code Hid Within Apps Posted to Google Play Store Akshaya Asokan (asokan_akshaya) • July 10, 2020    

Wallpaper apps hid Joker malware (Source: Check Point Research)

Check Point Research reports that a new version of the Joker mobile malware that infects Android devices has emerged. The malware, hidden in apps in the Google Play store, has once again evaded Google’s security tools.

See Also: Leaky Mobile Containers Pose Severe Risks to E-mail and other Business APPS

Researchers found the malicious Joker code hidden within 11 seemingly legitimate apps. Google removed all of the apps – including benign-looking game and wallpaper apps – by April 30 after it was notified by the researchers, according to the Check Point report.

The Joker malware, also known as Bread, has been active since at least 2017, although it has become more prevalent over the last year. The malware has the ability to steal SMS messages, contact lists and device information from infected Android smartphones. It also automatically signs up victims for premium services from various websites, according to Check Point.

Back in January, Google announced that it had removed about 17,000 apps from its official store that were used to help distribute this malicious code.

After those apps were discovered, the operators behind Joker apparently changed tactics to get their malware back into the Google Play store, according to Check Point.

“Joker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official application market as a result of small changes to its code, which enable it to get past the Play Store’s security and vetting barriers,” analysts Aviran Hazum, Bogdan Melnykov, and Israel Wernik write in their report.

Adopting New Techniques

The Check Point researchers found that the operators behind Joker adopted several techniques previously used to infect Windows-based devices and evade security tools.

The Joker gang manipulated two key features – the Notification Listener Service in Android and a dynamic DEX file. These were then used to register the victimized user for the unwanted premium services, according to the report.

In the 11 infected apps that Check Point recently found, the malware developers hid a malicious DEX file – a Windows developer feature – within the Android Manifest file, according to the report.

“In an attempt to minimize Joker’s fingerprint, the actors behind it hid the dynamically loaded DEX file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs,” the researchers note in their analysis.

The Android Manifest file, which acts as a directory, is used in every Android app. It contains essential information about each app, such as what permissions the app will need once it’s installed, and is used by the Google Play store to ensure the legitimacy of each app before it’s posted, according to the report.

The operators loaded the malware into the DEX file using Base64 encoded strings to hide the malicious code and then inserted that file into the app’s Android Manifest. This way, the malware could stay dormant and hidden until Google approved the app for the store, the researchers say.

“The malware does not need to access a [command-and-control] server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action,” the researchers note.

Once the approval process was complete and the app was posted in the official Google Play Store, the Joker malware then contacted the command-and-control server and began receiving instructions after victims downloaded the app, according to the report.

Targeting Google Play

While Google has put more money and effort into securing its app store, fraudsters and hackers keeping changing their tactics to get malicious apps posted on the platform.

Malwarebytes recently reported fraudsters were able to insert a Trojan called Cereberus into the Play Store by hiding it within a money converter app. Since March, the app was downloaded some 10,000 times by users, mainly in Spain (see: Cereberus Banking Trojan Targeted Spanish Android Users).

In other cases, researchers have found malicious code within the Google Play Store that was then used to create botnets from infected Android devices (see: Botnet Watch: Anubis Mobile Malware Gets New Features).

A U.S. Cyber Command official said that when they examine whether any given operation or even when a strategy has been successful, they’re not looking at metrics, but rather outcomes.

“It’s really about: have we enabled the collective defense of the nation,” Maj. Gen. John Morrison, Cyber Command’s outgoing chief of staff, told C4ISRNET in a July interview.

Roughly two years ago, Cyber Command and the Department of Defense started a paradigm shift for cyber policy and operations. The 2018 DoD cyber strategy tasked Cyber Command to “defend forward,” which is best described as operators working on foreign networks to prevent attacks before they happen. The way Cyber Command meets those goals is through persistent engagement, which means challenging adversary activities wherever they operate.

Part of the need for a change was that adversaries were achieving their objectives but doing so below the threshold of armed conflict – in the so-called gray zone – through cyberspace. DoD wanted to stop that from happening through more assertive cyberspace action.

Some in the academic community have wanted to see some way in which the command can measure the success of these new approaches. But Morrison explained that these outcomes, or intended effects during operations, could be enabling other partners – foreign or other agencies within the U.S. government – to take action in defense of the nation.

For example, he said that when Cyber Command teams encounter malware they haven’t seen before, they share it with partners in government, such as FBI or DHS, which can lead to the greater national collective defense.

He also noted that building partnerships enables a sense of collective defense in cyberspace and can help significantly in the future against sophisticated adversaries.

×

Morrison will be replaced at Cyber Command by Maj. Gen. David Isaacson. It is unclear where Morrison is headed next.

The need for flexibility

As Cyber Command has gained more authorities in recent years, it has been able to conduct significantly more operations and different types of operations as well, Morrison said.

Throughout these missions, leaders have learned they must be flexible, be it in tactics, structure of teams, or the capabilities they need or develop.

“We have thinking adversaries that we go against every single day. That drives us to change how we operate,” Morrison said. “You change your tactics, techniques and procedures but that’s also going to drive changes in how we train and what we train … It drives how we do capability development and development of capabilities and the employment of those capabilities, which again ties back to training at a much faster pace in this space.”

Morrison noted that this includes how teams are organized. He explained the way defensive cyber protection teams were first envisioned when they were created in 2012-2013 is not at all how they fight now.

To keep up with dynamic adversaries, Cyber Command is keeping closer watch on readiness metrics developed by the command for its cyber teams. This is a framework that details standards for how teams are equipped, manned and supplied. Cyber protection teams were detailed first and now Cyber Command has readiness metrics for combat mission teams, the offensive teams that support combatant commands, and intelligence/support teams. Officials are still working through metrics for what are called national teams that are charged with defending the nation.

The command also needs to improve the way it feeds operational requirements into capabilities cyber warriors can use, Morrison said. This includes improving acquisition practices for both of the programs of record Cyber Command is executing through its Joint Cyber Warfighting Architecture — which guides capability development priorities and includes the Unified Platform and Persistent Cyber Training Environment — and the more rapidly developed tools needed on the fly.

“That’s where you’ve got the ability inside the command now to rapidly produce that capability through a variety of means and get it into the hands of our operators as quick as possible,” he said.

In fact, the Army has begun to embed tool developers and coders alongside operators through the Rapid Cyber Development Network to more quickly meet urgent needs. This allows them in almost in near real time to develop or change tools to meet requirements.

“How do we do capability development in a much smoother fashion than we sometimes do today where we’re able to rapidly assess, prioritize, resource operational requirements to produce a capability that we can then get back into the hands of our operators as quickly as possible,” Morrison said.

From these capabilities that are developed for shorter term needs, he said the key will be deciding if they want to move them into a program of record. Will it be a longer term capability, will it adjust tactics, techniques and procedures or training?

“We’ve got to work those pieces,” he explained.

On the longer term, program of record capabilities, he noted officials still want the iterative development associated with more software-centric systems as opposed to more traditional military hardware.

Integration with combatant commands

Cyber is much more ingrained in military planning and operations than it was in years prior, Morrison said, however, work remains.

There is now a closer link between the combatant commands and Cyber Command elements that plan, coordinate, synchronize and conduct cyber operations on their behalf, Morrison said, noting that they are still maturing.

These include the Joint Force Headquarters-Cybers‚ which are commanded by each of the service cyber component commanders, and plan, synchronize and conduct operations for combatant commands they’re assigned to, and new entities being created called cyber operations-integrated planning elements. These are forward extensions of the Joint Force Headquarters resident within the combatant commands to better coordinate cyber planning with other operations for the combatant commander.

These entities all enable a greater central connective tissue from a Cyber Command perspective as they can feed from the theater level back to the command providing a global cyberspace picture.

“You have to take not only a regional view of anything that you’re doing, but, when you can bring the power of a global enterprise behind it, that’s a pretty powerful capability for our nation,” Morrison said. “We are in the process of building every one of our CO-IPEs but I definitely think that we are heading in the right direction, especially as [the CO-IPEs] get built and they integrate closer and closer with their supported combatant commands.”

Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Hacking Suspect Named in Sealed Indictment Was Independently Outed by Researchers Mathew J. Schwartz (euroinfosec) • July 9, 2020    

Andrey Turchin was named as likely being the hacker known as “Fxmsp” in a June 23, 2020, report released by Group-IB, which says it first informed law enforcement.

Did a private cybersecurity firm’s report into the “Fxmsp” hacking operation that deduced the identity of the group’s alleged leader disrupt a U.S. law enforcement investigation?

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

U.S. prosecutors on Tuesday revealed that a federal grand jury had charged Kazakhstan national Andrey Turchin, 37, with five felonies tied to computer fraud and abuse, wire fraud and access device fraud. Those revelations came after a Dec. 12, 2018, indictment against him was unsealed this week at prosecutors’ request.

U.S. attorneys say the government’s investigation is continuing, and that they expect to charge more individuals in connection with the probe of Fxmsp, which they describe as being “a prolific, financially motivated cybercriminal group composed of foreign actors that has hacked, and continues to hack, the computer networks of a broad array of corporate entities, educational institutions and governments in various countries, including the United States.”

Prosecutors’ move to unseal the indictment followed Singapore-based cybersecurity firm Group-IB on June 23 releasing a report, “Fxmsp: The Invisible God of Networks,” describing the hacking group’s operations. The title echoes a marketing tagline used by one of the group’s affiliates to advertise via cybercrime forums Fxmsp’s ability to give criminals quiet, remote access to hacked networks – for a fee, of course (see: Fxmsp Hackers Behind AV Source Code Heist: Still Operating?).

Group-IB’s analysis found email addresses, domains and Jabber and social media accounts tied to Turchin that were also connected to Fxmsp. The firm concluded: “Andrey A. Turchin, born on December ***, 198***, living in Almaty, Kazakhstan (according to social media profiles, domain registration data, and the phone number), is presumably the attacker who hides under the nickname ‘Fxmsp.’ The fact that he uses the same nicknames and the common interests related to exchange platforms both confirm this.”

Group-IB says its report was designed to help organizations better protect themselves against the types of attacks waged by Fxmsp (see: Studying an ‘Invisible God’ Hacker: Could You Stop ‘Fxmsp’?).

“Our research was primarily focused on examining the threat actors’ activities and TPPs [techniques, tactics and procedures] with the aim to provide businesses with comprehensive recommendations on how to avoid attacks similar to those conducted by Fxmsp,” Group-IB CTO Dmitry Volkov told Information Security Media Group. “We do hope that our report will help prevent further victims and make its contribution to locating and arresting the threat actor hiding behind the nickname Fxmsp as well as his accomplices.”

Slogan used to sell remote access credentials stolen by Fxmsp, overlaid on a map of victims’ locations released last month by Group-IB

This isn’t the first time that research published by a private firm has overlapped with an active law enforcement investigation. Even so, Alan Woodward, a professor of computer science at the University of Surrey, says that in general, the more research being published on “the bad guys,” the better, especially if firms are also giving law enforcement a heads-up first, to help avoid disrupting active investigations.

“In some cases, the more eyes on the problem, the better,” he tells ISMG, because that approach can help build a more complete picture of criminals’ operations. He also notes, however, that such overlapping efforts increase the odds that “you’re going to run across each other, now and again.”

Prosecutors Have Indictment Unsealed

On Tuesday, federal prosecutors filed a motion to unseal the indictment against Turchin, aka “fxmsp.”

“U.S. authorities have reason to believe that Turchin is aware of the existence of pending criminal charges in the United States,” U.S. Attorney Brian T. Moran told Seattle federal court in a filing. “Given the group’s prolific nature, sophistication and notable victims, “fxmsp” and his accomplices, commonly referred to collectively as the “fxmsp” group, have been a subject of interest of cybersecurity researchers,” he added, and then referenced Group-IB’s report.

“In addition to tracking ‘fxmsp’s’ evolution and his group’s exploits and list of victims, this report publicly identified ‘fxmsp’ as Andrey Turchin, of Kazakhstan, and provided a detailed explanation of the researchers’ attribution determination,” he said. “Since its publication, various news outlets in the United States and abroad, citing the report, have published articles about ‘fxmsp’ and his identification as Turchin.” (Note: While ISMG has reported on Fxmsp, it declined to cite Group-IB’s assessment of the hacker’s alleged identity because it came from a single source.)

Source: Group-IB

As of Tuesday, Turchin remained a fugitive, with Moran telling the court that it was working with “foreign authorities and to pursue his apprehension to face charges in the United States.”

Moran told the court that the government had concluded that keeping the indictment under seal was no longer necessary, “given the unique circumstances of this matter, which include, among other things, Turchin’s knowledge of the criminal charges in the United States and his public identification as the prolific hacker ‘fxmsp.'”

On Wednesday, news site Bleeping Computer, which was cited – together with Forbes – by prosecutors as being one of the sites that named Turchin based on Group-IB’s report, reported that Turchin may now have been detained by local authorities in Kazakhstan.

In 2015, the U.S. signed a “mutual legal assistance in criminal matters” treaty with Kazakhstan, but currently there is no extradition treaty between the countries.

How did Turchin have knowledge of the sealed indictment returned against him 18 months ago? The Justice Department could not be immediately reached for comment.

But on Feb. 19, 2019, Moran submitted a motion to the court to unseal the indictment and arrest warrant issued for Turchin – aka Fxmsp, “Andej Turchin,” “Adik Dalv,” and “Vadim bld” – “for the limited purpose of facilitating arrests, extraditions, searches and interviews of existing and future defendants.”

At the time, Moran wrote that the limited nature of the unsealing was important. “Premature unsealing would create a substantial risk that the defendant and/or his co-conspirators will learn of the criminal investigation and charges and will take steps to thwart the efforts of law enforcement, alter criminal activity, evade arrest and destroy or tamper with evidence,” he told the court. “Notably, it is significant that, given the nature of the criminal conduct, the threat actors, including the defendant, are in possession of confidential victim information and are believed to have ongoing unauthorized access to numerous victim computer networks.”

Probe Led by FBI’s Seattle Field Office

Following the unsealing of the indictment against Turchin on Tuesday, the FBI’s Seattle office, which is leading the Fxmsp investigation, thanked the bureau’s British counterpart, the National Crime Agency, as well as the National Security Committee of the Republic of Kazakhstan, and two private-sector firms: Intel471 and FireEye’s Mandiant.

credits our partners with this investigation to include UK’s National Crime Agency, the National Security Committee of the Republic of Kazakhstan (KNB), and support from private sector intelligence partners Intel471 and FireEye/Mandiant @NCA_UK @Intel471Inc @FireEye

— FBI Seattle (@FBISeattle) July 8, 2020

Other firms that contributed intelligence to the FBI included Advanced Intelligence, aka AdvIntel, which is a fraud-prevention and risk-management firm based in New York. In May 2019, the firm issued a report detailing an attempt by Fxmsp to sell alleged remote access to three anti-virus vendors’ networks – McAfee, Trend Micro and Symantec/Norton – as well as to their stolen source code (see: Crime Gang Advertises Stolen ‘Anti-Virus Source Code’).

Yelisey Boguslavskiy, AdvIntel’s CEO, has told ISMG that the impetus for his company’s report was to shine a light on Fxmsp’s operations, and drive them off of the cybercrime forums they relied on for advertising stolen access credentials for hacked networks. He says his company provided a private report with many more details to law enforcement.

“Advanced Intelligence was honored to support our nation’s law enforcement and the FBI Cyber Crime Task Force specifically with all advanced HUMINT” – referring to human intelligence, meaning insights gleaned potentially from person-to-person interactions on the cybercrime underground – “that we received in our investigation of the ‘Fxmsp’ group,” AdvIntel said on Wednesday.

While the company’s public 2019 report detailed Fxmsp’s history and operations, it did not suggest what the real-world identify of any of the group’s members might be. Yelisey Boguslavskiy, AdvIntel’s CEO, said that members of the group had been acting in publicly trackable ways as well as privately for clients.

Source: AdvIntel

“Fxmsp was acting privately – beyond forums – until May 9, 2019, when we terminated their operations,” Boguslavskiy has told ISMG (see: Hacking Timeline: Fxmsp’s Rise and Apparent Fall).

Did Report Complicate Investigation?

Eighteen months after Turchin was charged via a sealed indictment – which was not public knowledge – and 16 months after prosecutors obtained court approval to selectively unseal the indictment and arrest warrant to facilitate international arrests and extraditions, again not for public distribution, Group-IB released its report into Fxmsp.

Intel471, the cyber intelligence firm that contributed Fxmsp intelligence to the FBI and which was publicly thanked by the bureau for such efforts, suggests that by revealing the identity of Fxmsp, Group-IB’s report disrupted the active law enforcement – aka LE – investigation.

“Commercial companies outing cybercriminals for publicity and marketing under the guise of supporting the greater good and without proper coordination and deconfliction with LE is rarely constructive and often harms law enforcement efforts,” Intel471 says. “The FXMSP case serves as a lesson learned for vendors. A detailed report published by a security vendor has seemingly forced LE to unseal a criminal indictment, publicize a case and likely introduced new challenges for their investigation. We hope that in the future more companies will operate more responsibly and that buyers of security products and services factor this in when choosing who to partner with.”

Group-IB Shared Information With Authorities

But Group-IB says it fully informed law enforcement organizations prior to publishing anything, querying whether taking that step might disrupt any of their efforts.

“Ahead of making public any threat reports on cybercriminals, Group-IB contacts law enforcement agencies to make sure that such releases will not hamper any ongoing investigations, and the case with Fxmsp was clearly no exception,” a company spokeswoman tells ISMG.

“In May, the expanded version of the report about the threat actor was handed over to two international law enforcement agencies, with which the United States has ties,” the spokeswoman says. “Group-IB, in particular, provided the two organizations with the list of victims that the company was able to identify and the information which ultimately was the basis for establishing Fxmsp’s presumed identity, including his Jabber, and accounts on various underground forums. In keeping with ethical principles, neither victims nor personal information of the threat actor were included in the report’s public version.”

Group-IB says it informed the law enforcement agencies of its plan to make parts of the report public “and inquired if there were any ongoing investigations with respect to the threat actor to ascertain that the report’s publication wouldn’t do any harm to the legal proceedings.” Group-IB says the message that it received was that those law enforcement organizations “had no issues with Group-IB making the report public,” leading it to “release the report with the aim to provide businesses with comprehensive recommendations on how to avoid attacks similar to those conducted by Fxmsp.”

The Importance of Passive Tracking

Although the University of Surrey’s Woodward advocates that cybersecurity firms and researchers maintain ties with law enforcement, as Group-IB and others do, he says that law enforcement doesn’t always share information about operations they might have in progress, for fear that the information could get out. In addition, he says research published by private cybersecurity firms may later prove crucial for helping to build a case – as well as support it in court.

In this case, he doesn’t think Group-IB’s report harmed the investigation. “I’ve seen cases in the past, where various undercover operations thought they were tracking criminals, but what they were really doing is tracking other undercover operations,” he says.

“But this sort of thing, it’s not active tracking; it’s passive. You’re sort of looking at their footprints in the snow and seeing where they’ve gone and if you can put a case together,” Woodward adds. “That’s when I think it makes sense to name them, and especially in this case, they did ask – not that they need permission, but they just wanted to make sure they weren’t going to tread on any toes and that there wasn’t someone about to swoop on the guy. But as it turns out, the guy was already aware, he wasn’t going to go anywhere, so I don’t think it did any real harm.”

Account Takeover , Cybercrime , Fraud Management & Cybercrime

Researchers: App Initially Acts Benign to Avoid Detection Prajeet Nair (@prajeetspeaks) • July 9, 2020    

The malware that Avast discovered is named after the mythical creature Cerberus (Image: Wikipedia)

A fake currency converter app in the official Google Play store, which has been downloaded more than 10,000 times since March, hid a banking Trojan and information stealer called Cerberus, according to Avast Mobile Threat Labs.

See Also: Are you using the best approach to verify customer identities?

The fake app, called “‘Calculadora de Moneda,” appears to have targeted only Android users in Spain, Avast says. Researchers determined this app managed to bypass security features embedded in the Google Play store that are designed to keep out malware.

“This banking Trojan managed to sneak onto the Google Play Store. The ‘genuine’ app, in this case, posed as a Spanish currency converter called ‘Calculadora de Moneda,'” says Ondrej David, malware analysis team leader at Avast.

On Monday, after the researchers had begun investigating the suspicious Calculadora de Moneda app, the command-and-control server associated with the malware appeared to have stopped operating, the report notes.

Avast reached out to Google to inform the company about the fake app. A Google spokesperson could not be immediately reached for comment, but and a scan of the Play Store could not locate the Calculadora de Moneda converter.

And while the Avast report noted that the app had been downloaded more than 10,000 times since March, the researchers did not note if the banking Trojan stole any credentials or data.

Over the last several months, researchers have noted an uptick in the number of banking Trojans targeting users. Analysts have found malware such as IcedID and Qbot being revamped or more widely used by malicious actors (see: Revamped IcedID Banking Trojan Campaign Uses COVID-19 Lure and Researchers: Qbot Banking Trojan Making a Comeback).

Stealth Mode

The currency converter app that Avast discovered was designed to avoid detection by both the user and Google Play Store’s security tools. When an Android user first downloaded the app, it did not immediately perform any malicious activity that would raise suspicion. Instead, it simply acted as a money converter, according to the Avast report. The researchers found that this was part of an obfuscation technique and the money converter actually acted as a dropper.

After a few weeks, the app contacted a command-and-control server operated by the fraudsters and downloaded a malicious Android application package called “Banker” onto infected devices, according to the researchers’ report.

Even when the Banker malware was downloaded, the Calculadora de Moneda app functioned as normal without any additional malicious activity, the researchers note.

“Later versions of the currency converter included a ‘dropper code’ but it still wasn’t activated initially, i.e. the command-and-control server instructing the app wasn’t issuing any commands and so users wouldn’t see and download the malware,” the report notes.

Ready to Run

After a few more weeks, the app contacted the command-and-control server for a second time. At this point, the actual Trojan – Cerberus – was downloaded to the device, and it then attempted to steal banking data and credentials from the victim, according to the report.

Once fully installed, Cerberus “sat” over the victim’s legitimate banking app waiting for the user to log into their account. The malware created a layover across the login screen of the victim’s banking app, which could then steal credentials and other data, according to the report.

In addition to stealing credentials, Cerberus could intercept and read text messages on an infected Android device, which allowed it to bypass two-factor authentication security.

The Avast researchers note that most of the Cerberus Trojans started downloading to infected devices around July 1. By Monday, however, the command-and-control server stopped functioning and the attacks appear to have stopped.

“Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection, i.e. limiting the time window where the malicious activity can be discovered,” David noted in the report.

Malware and Google Play

While the security features within the Google Play store are supposed to scan and block apps that contain malware such as Cerberus, researchers have noted that fraudsters have been getting better at designing fake apps that avoid detection.

In April, for example, Kaspersky published a report that found a sophisticated spyware campaign has been targeting Android users through Trojan-laced apps in the Google Play Store that are disguised as various plugins, browser cleaners and application updaters (see: Spyware Campaign Leverages Apps in Google Play Store).

Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Report: Little-Known Evilnum Group Relies on Spear-Phishing Emails Akshaya Asokan (asokan_akshaya) • July 9, 2020    

How a typical Evilnum attack against a fintech target unfolds (Source: ESET)

A little-known advanced persistent threat group dubbed Evilnum has been targeting fintech firms in the U.K. and Europe over the past two years, using spear-phishing emails and social engineering to start their attacks, according to the security firm ESET.

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

In a report released Thursday, ESET researchers say the group recently expanded its targets beyond British and other European firms to companies in Canada and Australia. The report did not name any of the targeted companies.

“According to ESET’s telemetry, the targets are financial technology companies – for example, companies that offer platforms and tools for online trading,” the researchers note. “Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks.”

The APT group is believed to use a malware strain that is also called Evilnum, but is sometimes referred to as CardinalRAT and CarpDownloader, according to ESET.

This JavaScript malware was first spotted in 2018 by Palo Alto Networks’ Unit 42 and had previously targeted Israeli fintech companies. The Evilnum malware steals a wide variety of information, including customer records, credit card numbers and a device’s Microsoft license number, the report notes.

The spear-phishing emails the APT group uses attempt to infect devices with the Evilnum malware as well as other types of malicious code purchased or rented from other hacking groups.

The ESET report does not draw a conclusion as to where the Evilnum group is based. But it’s likely the threat actors have had some success targeting fintech firms since their activities began in 2018, says Matias Porolli, an ESET threat researcher.

“Judging by the fact that the attacks are targeted and the potential victims are approached with specific – not mass-sent – emails, we believe the attackers were successful in their efforts,” Porolli tells Information Security Media Group.

Infection Tactics

Evilnum’s first step is sending out spear-phishing emails to technical support representatives and account managers within the target organization with financial document attachments as a lure, the researchers note.

When the victim opens the email, a Zip archive extracts and executes a malicious LNK file – a shortcut used in Windows – that runs a JavaScript component and also displays a decoy document, the report notes.

“The documents used as decoys are mostly photos of credit cards, identity documents, or bills with proof of address, as many financial institutions require these documents from their customers when they join, according to regulations,” the report notes.

Fake documents used to help spread Evilnum malware (Source: ESET)

The ESET researchers also point out that these documents appear to be genuine and may have been collected by the threat actors from various sources to add legitimacy to their attacks.

Once the targeted victim clicks on the LNK file to view one of the documents, the malware begins to load in the background and infect their device, according to the report.

Once the attackers successfully infect devices and a network, the malware steals sensitive corporate data, such as customer lists, credit card information and other personally identifiable data, along with the firm’s investments and trading operations data, the ESET researchers report.

In the next phase of the attack, the JavaScript components deploy other malware the Evilnum operators purchased from other hackers, including code written in C# from the malware-as-a-service provider Golden Chickens, the report notes. The attackers also use Python-based tools in their toolkits, the researchers add.

While the JavaScript component acts as a backdoor and handles communications with the command-and-control server, the C# code takes on other tasks, including grabbing a screenshot whenever the mouse is moved over a certain length of time, sending system information back to the operators as well as stealing cookies and credentials. Eventually, this process will kill the malware when the campaign is complete, according to the report.

The attackers then use a number of additional Golden Chicken tools to perform anti-debugging techniques and identify anomalies in order to identify a sandbox. If one is spotted, this technique will prevent the code from executing to help prevent detection, the researchers add. These tools also help the attackers collect data from victims’ email applications and gain additional persistence, according to the report.

In the final stage of the attack, the group deploys a Python-based infrastructure to take additional screen shots, perform key-logging and collect data. The malware then snatches the device’s Microsoft Office and Windows licenses and sends them to the command-and-control server.

Rise in APT Attacks

Since the start of the COVID-19 pandemic, APT groups have turned their attention to large enterprises, security experts note.

For example, an April report from security firm Malwarebytes found that APT groups with links to China, Russia and North Korea were using new tactics to target an increasing number of victims.

In May, U.S. and U.K. authorities warned that APT groups are using “password spraying campaigns” to target medical institutions, pharmaceutical companies, universities and others conducting COVID-19 research (see: Alert: APT Groups Targeting COVID-19 Researchers).

The latest edition of the ISMG Security Report analyzes the surge in the use of employee monitoring tools for the increasingly remote workforce.

In this report, you’ll hear (click on player beneath image to listen):

• ISMG’s Mathew Schwartz discuss the latest employee monitoring trends;
• ISMG’s Jeremy Kirk analyze the issues involved in sorting through more than 1,000 IoT security guidelines;
• Attorney Sadia Mirza address the impact of the California Consumer Privacy Act now that it’s being enforced.

The ISMG Security Report appears on this and other ISMG websites on Fridays. Don’t miss the June 26 and July 3 editions, which respectively discuss keeping IoT devices secure and a progress report on digital IDs.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.